TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
556
Signature ID: 21009
Microsoft Windows NetDDE Long Share Name Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2004-0206 Bugtraq: 11372 Nessus: 15572,15456
Signature Description: Microsoft Network Dynamic Data Exchange (NetDDE) allows two applications to
communicate with each other over a network transparently. A remotely exploitable buffer overflow vulnerability exists
in NetDDE services that can execute arbitrary code. Individual applications who wants to exchange data dynamically
using NetDDE will create machine resource shares. All the share information is stored in the registry abd these registry
entries can be created in the server by making use of DDE Share Database Manager (DSDM) Service. When the client
requests a particular share, the NetDDE service at the server looks in the registry for the share name and if it exists
permissions are checked to grant a trusted status. The function exported by NetDDE to grant trusted status to a share is
NDdeSetTrustedShare() which takes 3 arguments remote NetDDE server, Name of the share and the operation to be
performed on the share. The trusted share present in system registry can be modified upon successful execution of a 'set
trusted share' request. When attempting to construct an absolute registry path upon which to operate, the ShareName
string value is concatenated onto the trusted share root path into a stack based buffer where no boundary checking is
performed. Therefore a remote attacker can exploit this vulnerability by making a request to the
NDdeSetTrustedShare() function with large share name to overflow the buffer. Successful exploitation may leverage
this issue to execute arbitrary code on an affected computer with SYSTEM privileges. Administrators are advised to
install the updates mentioned in MS04-031.
Signature ID: 21010
Microsoft Windows NetDDE Long Share Name Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2004-0206 Bugtraq: 11372 Nessus: 15572,15456
Signature Description: Microsoft Network Dynamic Data Exchange (NetDDE) allows two applications to
communicate with each other over a network transparently. A remotely exploitable buffer overflow vulnerability exists
in NetDDE services that can execute arbitrary code. Individual applications who wants to exchange data dynamically
using NetDDE will create machine resource shares. All the share information is stored in the registry abd these registry
entries can be created in the server by making use of DDE Share Database Manager (DSDM) Service. When the client
requests a particular share, the NetDDE service at the server looks in the registry for the share name and if it exists
permissions are checked to grant a trusted status. The function exported by NetDDE to grant trusted status to a share is
NDdeSetTrustedShare() which takes 3 arguments remote NetDDE server, Name of the share and the operation to be
performed on the share. The trusted share present in system eegistry can be modified upon successful execution of a 'set
trusted share' request. When attempting to construct an absolute registry path upon which to operate, the ShareName
string value is concatenated onto the trusted share root path into a stack based buffer where no boundary checking is
performed. Therefore a remote attacker can exploit this vulnerability by making a request to the
NDdeSetTrustedShare() function with large share name to overflow the buffer. Successful exploitation may leverage
this issue to execute arbitrary code on an affected computer with SYSTEM privileges. Administrators are advised to
install the updates mentioned in MS04-031.
Signature ID: 21011
Microsoft Windows Task Scheduler '.job' File Command Name Buffer Overflow Vulnerability
Threat Level: Warning
Industry ID: CVE-2004-0212 Bugtraq: 10708
Signature Description: Microsoft Windows Task Scheduler (Mstask.dll) is a COM-based API (ActiveX control) that
provides a scheduling service for executing arbitrary commands on a system. Task Scheduler saves tasks as files with
.job file name extensions. The scheduler contains a stack-based buffer overflow that can be triggered by an overlong
command in the .job file. By creating a malicious .job file with a large "to be executed" field the stack can be
overwritten allowing for remote command execution, when the file is parsed by mstask.dll. An attacker could exploit
this vulnerability by hosting the malicious file on a Web site or by sending it to a victim as an HTML email. The